Companies Turn to War Games to Spot Scarce Cybersecurity Talent

A major shipping company is under attack. With help from a corrupt executive, an international hacking syndicate called Scorpius, has penetrated the computer networks of Fast Freight Ltd. The hackers have taken control of servers and compromised the systems that control Fast Freight’s vessels and its portside machinery. The company’s cybersecurity consultants have 48 hours to uncover the breach and repulse the attackers before they cripple Fast Freight’s business and cause serious economic damage.

It sounds like the plot to a blockbuster thriller. But this was the fictional scenario 42 budding computer security experts faced at the annual U.K. Cyber Security Challenge competition earlier this week in London. With demand for cybersecurity expertise exploding, but qualified people in short supply, war-gaming competitions like this have become key recruiting grounds for companies and government security agencies.

“We want to find untapped talent to fill roles in our own operation and in the industry as a whole,” said Rob Partridge, BT Group Plc’s head of commercial development for penetration testing. BT is one of a half-dozen companies, including Airbus SE, Cisco Systems Inc. and smaller, specialist cybersecurity firms Darktrace Ltd. and Check Point Software Technologies Ltd., that sponsored this year’s Challenge competition. The U.K.’s National Crime Agency, the Bank of England and law firm 4 Pump Court also supported the competition.

Partridge also said he hopes the competition will help raise the profile of cybersecurity as a profession, encouraging more students to pursue a career in the field.

There are about 1 million unfilled cybersecurity jobs globally, according to an estimate from Cisco. And computer security firm Symantec Corp. forecasts that the number of positions will grow to 1.5 million by 2019. In the U.K., advertised cybersecurity roles exceed interested candidates by about 3 to 1, according to online recruitment site Indeed.

It’s this gap that Cyber Security Challenge U.K., a non-profit organization set up by the British government with support from corporations and universities, is supposed to help fill. The group runs a series of online games that allow amateur cybersleuths and white-hat hackers to test their skills. Those who score well online are invited to a series of regional, in-person competitions. The top performers at these events are then invited to the annual three-day masterclass and team-based competition where they face a realistic scenario created by experts from the sponsoring companies.

About 70 percent of the finalists wind up being hired into cybersecurity jobs within 12 months, Nigel Harrison, co-founder and acting chief executive officer of Cyber Security Challenge, said.

The challenge began in 2010, amid growing concern about the cyberwarfare capabilities of other countries, including China and Russia, Harrison said. It was loosely modeled on similar events in the U.S., such as those run by the U.S. Department of Energy’s National Laboratories and the U.S. Department of Homeland Security.

This year’s competition focused on potential cyberattacks on the shipping industry largely because it was held at Trinity House, a Georgian building that houses a 500-year-old charity empowered by the British government to maintain lighthouses and other aides to maritime navigation, Harrison said. But he said ports and shipping were important components of critical national infrastructure that are increasingly targeted by hackers. Recently, A.P. Moller-Maersk A/S, one of the world’s largest shipping companies, posted a third-quarter-loss after having its business disrupted by a cyberattack last summer.

Previous years’ competition scenarios were scripted, but this year’s featured a live “red team” made up of professional network penetration testers from the sponsoring companies. That made the war-gaming more realistic – and more difficult as the competing teams might plug one vulnerability only to see the attackers shift tactics and exploit another one.

It also included hacks of industrial systems, such as those that control robot arms and factory equipment. Even many cybersecurity experts are unfamiliar with the software that manages this kind of equipment, said Kevin Jones, head of cybersecurity architecture and innovation at Airbus.

As Sophia McCall’s team struggled to repel a group of attackers that had compromised five of its six computers, forcing the group to work on one machine, the 19-year old student from Bournemouth University said the competition was the toughest she’s ever participated in. “It’s good but it’s definitely been really challenging,” she said.

McCall said she normally practices hacking networks, not defending them and was finding that playing defense was teaching her to think differently. “It caught me off guard,” she said. “But it is good to be on the flip side and see what that is like.”

The push for realism also extended to requiring the competing teams to brief the board of the fictional shipping company on their investigation. They also had to present forensic evidence and the competition organizers brought in actual trial lawyers, in the wigs and gowns they wear in the U.K., to grill the competitors.

“It’s not just about technical skills,” Jones said. “We need people with business knowledge too, and presentation skills. It even reaches into psychology, since human factors are one of the major vulnerabilities in any network.”

Jess Williams, now a cybersecurity technical consultant at BT, is among those who have found jobs after being talent-spotted at the competition. She had been studying computer game design at De Montfort University in Leicester, England, in 2015 when on a lark she decided to try her hand at the online Cyber Security Challenge games. She advanced all the way through the finals competition, where she caught the attention of BT, which later offered her a job. This year, Williams returned to the competition to help run it.